SSH asking every single time for passphrase

7.3k views Asked by At

I have an annoying problem with my private key. Every time I want to clone or push via ssh in terminal or Tower app, I have to type my passphrase.

I even removed and recreated the ssh key and set the key on Github several times, but it looks like it has a short lifetime and after a couple of minutes, is expired!

I followed generate a new SSH key to create the key. At the end I ran ssh-add ~/.ssh/id_rsa and it printed out:

Identity added: /Users/sajad/.ssh/id_rsa (/Users/sajad/.ssh/id_rsa)

After I restarted my machine I ran ssh-add -l to check whether it's still there or not and here is the result:

The agent has no identities.

How can I fix this? I use macOS.

My /etc/ssh/ssh_config:

#   $OpenBSD: ssh_config,v 1.30 2016/02/20 23:06:23 sobrado Exp $

# This is the ssh client system-wide configuration file.  See
# ssh_config(5) for more information.  This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
#  1. command line options
#  2. user-specific file
#  3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for some commonly used options.  For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.

Host *
        SendEnv LANG LC_*

# Host *
#   ForwardAgent no
#   ForwardX11 no
#   RhostsRSAAuthentication no
#   RSAAuthentication yes
#   PasswordAuthentication yes
#   HostbasedAuthentication no
#   GSSAPIAuthentication no
#   GSSAPIDelegateCredentials no
#   BatchMode no
#   CheckHostIP yes
#   AddressFamily any
#   ConnectTimeout 0
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/identity
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
#   IdentityFile ~/.ssh/id_ecdsa
#   IdentityFile ~/.ssh/id_ed25519
#   Port 22
#   Protocol 2
#   Cipher 3des
#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
#   MACs hmac-md5,hmac-sha1,[email protected],hmac-ripemd160
#   EscapeChar ~
#   Tunnel no
#   TunnelDevice any:any
#   PermitLocalCommand no
#   VisualHostKey no
#   ProxyCommand ssh -q -W %h:%p gateway.example.com
#   RekeyLimit 1G 1h
3

There are 3 answers

5
Dan Lowe On BEST ANSWER

Ensure you are actually using SSH

This really sounds like your remote is not using SSH at all, but is using HTTP. In that case, every time you use the remote, it will ask you to authenticate.

You can check this by looking at your remote URLs. For SSH you want it to look like this:

$ git remote -v
origin  [email protected]:yourUsername/yourRepo (fetch)
origin  [email protected]:yourUsername/yourRepo (push)

If you are using HTTP, then it will instead look like this:

$ git remote -v
origin  https://github.com/yourUsername/yourRepo.git (fetch)
origin  https://github.com/yourUsername/yourRepo.git (push)

If you find it is set to use HTTP, it's easy to change.

git remote set-url origin [email protected]:yourUsername/yourRepo

SSH key asking for passphrase every time it is used

If it turns out that you are already using SSH, you should check your SSH configuration. There are two locations to check on a Mac.

  • /etc/ssh/ssh_config
  • /Users/{your_username}/.ssh/config

In particular, you do not want this setting:

AddKeysToAgent confirm

From the ssh_config man page:

AddKeysToAgent
   Specifies whether keys should be automatically added to a running
   ssh-agent(1).  If this option is set to ``yes'' and a key is
   loaded from a file, the key and its passphrase are added to the
   agent with the default lifetime, as if by ssh-add(1).  If this
   option is set to ``ask'', ssh will require confirmation using the
   SSH_ASKPASS program before adding a key (see ssh-add(1) for
   details).  If this option is set to ``confirm'', each use of the
   key must be confirmed, as if the -c option was specified to
   ssh-add(1).  If this option is set to ``no'', no keys are added
   to the agent.  The argument must be ``yes'', ``confirm'',
   ``ask'', or ``no''.  The default is ``no''.

And this is a description of the -c flag to ssh-add:

-c      Indicates that added identities should be subject to confirmation
        before being used for authentication.  Confirmation is performed
        by ssh-askpass(1).  Successful confirmation is signaled by a zero
        exit status from ssh-askpass(1), rather than text entered into
        the requester.

SSH key not present in agent at startup

After you restart the machine, the key being gone is normal. You have to add it at least once after the machine starts up.

1
Nathan Kleyn On

There's some really good solutions to a very similar question over on SuperUser and AskDifferent.

The basic gist is that Apple recently changed some of these behaviours in Sierra. Thankfully, it's simple to get them back by adding the following to the top of your ~/.ssh/config file:

Host *
  AddKeysToAgent yes
  UseKeychain yes

That should be enough to get it to start using the keychain to store/retrieve your SSH key passphrase.

0
user1050755 On
# ~/.ssh/config:
AddKeysToAgent yes

# you should also add "-t" to ssh-agent startup to forget decrypted keys
# after some time (here: 1 hour, overridden by ssh-add - in case you really
# need to use some keys all the time)
# ~/.bashrc:
if ! pidof /usr/bin/ssh-agent >/dev/null; then
  ssh-agent -t 3600 > ~/.ssh/.agent.pid
fi
source ~/.ssh/.agent.pid >&/dev/null